This article describes the approaches used for the various types of business continuity management (BCM) audits and how audits impact the business continuity planner. It also describes the most common weaknesses found in business continuity plans. And lastly, it presents a road map to prepare for a BCM audit.
BCM Audit Definition
The most general definition of an audit is an evaluation of a person, organization, system, process, project, or product. A BCM audit is an independent evaluation of the business continuity management program or its components by internal or external independent parties.
Types of Auditors
There are several types of auditors such as internal auditors, external auditors, and compliance auditors.
- Internal auditors are employees of a company that assess and evaluate its systems of internal control. A business continuity plan is considered to be an important component of an internal control system. To maintain independence, they present their reports directly to the board of directors or to executive management.
- External auditors are independent staff of an auditing firm that assess and evaluate financial statements of their clients or perform other agreed upon evaluations such as IT Audits that may also address the business continuity plans of the organization.
- Compliance auditors are examiners normally from a regulatory agency such as FFIEC, FERC, DHS/FEMA, JCAHO/HIPAA, and others depending on the type of industry.
Reasons for the BCM Audit
There are many reasons for BCM audits. The audit may be prompted by the internal audit department, external audit organization such as the CPA firm that performs the financial audit, or a regulatory examiner. Another reason is it may be triggered by the results of an emergency event or by the results of a test exercise. Board and/or executive management may also request an audit of the business continuity management program or components thereof. In some cases a customer may request a BCM audit such as customers of service organizations.
Benefits of a BCM Audit
There are several benefits that can be obtained as a result of a BCM audit. The BCM audit provides an independent evaluation of the BCM program and identification of strengths and weakness of the program. The audit can also reveal high risks and associated mitigation strategies. The results should include recommendations for BCM improvements and identification of “best BCM practices.”
BCM Standards, Guidelines, and Frameworks
The BCM planner may have several questions for the BCM auditor regarding the pending audit such as: what standard will be used for the BCM audit? There are several BCM standards, guidelines, and frameworks that are used for developing BCM plans including:
- Disaster Recovery Institute International (DRII)
- Business Continuity Institute (BCI)
- COBIT – Control Objectives for Information and Related Technology
- ISO 17799/27000 Series
- National Fire Protection Association 1600 (NFPA 1600)
- BS 25999 (British Standards Institute)
- Various state statutes and regulatory requirements
Legal and Regulatory Requirements
Both the BCM planner and the BCM auditor should have a solid understanding of the applicable legal standards and regulations and of the organizations making the rules.
- Health Insurance Portability and Accountability Act (HIPAA) – Protects medical records and other health information.
- Department of Homeland Security and Federal Emergency Management Agency (DHS/FEMA) – Provides guidance for developing Continuity of Operations (COOP) plans as described in Federal Continuity Directive 1 and Federal Continuity Directive 2. These are applicable at all levels of the Federal Executive Branch and are also useful for state, local, territorial, and tribal governments.
- National Institute of Standards and Technology (NIST) – Publishes the “Contingency Planning Guide for Information Technology Systems” which provides instructions, recommendations, and considerations for IT contingency planning.
- Federal Financial Institutions Examinations Council (FFIEC) – Provides guidance to the financial services industry about the importance of business continuity planning.
- Federal Energy Regulatory Commission (FERC) – Regulates the interstate transmission of electricity, natural gas, and oil.
- Sarbanes Oxley Act of 2002 – Requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting (ICFR). BCM is an important aspect of the internal controls.
Scope of BCM Audits
It is advisable for the BCM planner to inquire and understand: What is the scope of the BCM audit? This understanding will help the BCM planner to better prepare the materials needed by the BCM auditor for the audit. The scope could include some or all of the items listed below:
- Business continuity management program and BCM policy
- Enterprise BCM, IT disaster recovery plan, and/or business unit/department BCPs
- Supporting plans (i.e., emergency plan, crisis management plan, pandemic plan, and others)
- Business impact analysis, risk assessment, recovery strategies development, plan design and documentation, training, testing exercises, or all of these phases
- Single points of failure (a single element, component, system, device, or person that is critical to providing a service – availability is the aspect of continuity planning that is concerned with avoiding single points of failure)
- BCM roles and responsibilities
- BCM software (management, access, security)
- Plan availability and updates
- Plan maintenance and evidence of updates
- Plan testing exercises and evidence of testing
BCM Audit Concerns and Focus
BCM Auditors may have several concerns related to the BCM as described below.
- Risk Assessment – The BCM auditor may audit the results of the risk assessment as well as the process that was used during the development of the risk assessment to understand if it was comprehensive. The BCM auditor may inquire about the methodology and approach used for the risk assessment. There may be questions related to: analysis of threat and vulnerabilities, physical and environmental security, backup and off-site storage, and single points of failure. In particular, the BCM auditor will be interested in the mitigation strategies that have been implemented.
- Business Impact Analysis – The BCM auditor may audit the results of the business impact analysis as well as the process that was used during the development of the business impact analysis to understand if it was comprehensive. The BCM auditor may inquire about the methodology and approach used for the business impact analysis. The audit may review: stakeholder input, recovery point objectives (RPOs), recovery time objectives (RTOs), resource prioritization, potential losses, and interdependencies.
- BCM Structure and Documentation – Effective documentation and procedures are extremely important in a business continuity plan. Considerable effort and time are necessary to develop a plan. However, many plans are difficult to use and become outdated quickly. Poorly written procedures can be extremely frustrating. Well-written plans reduce the time required to read and understand the procedures, and therefore result in a better chance of success if the plan has to be used. Well-written plans are also brief, to the point, and meet all project/organizational objectives.A well-organized business continuity plan will directly affect the recovery capabilities of the organization. The contents of the plan should follow a logical sequence and be written in a standard and understandable format. A glossary of technical terms and acronyms can be beneficial in understanding the BCM procedures and documentation. Procedures should be clearly written.
The BCM auditor may audit the BCM structure and documentation. The audit may review activation procedures, communications plan, recovery teams, scenarios, command and control center, alternate facilities, detailed recovery procedures, and other considerations.
The BCM auditor may also ask:
- Where is the electronic copy of the BCM stored?
- Is the electronic copy of the BCM secure?
- Who has access to the BCM and what type of access (read/write/delete)?
- Is there a backup of the BCM and is it stored offsite?
- Are there hard copies of the BCM and are they secure?
- BCM Training – Training is an important aspect in completing the business continuity plan. All employees must know their specific roles in the business continuity plan (BCM) and how to fulfill their responsibilities. Specific training is necessary to maintain, implement, and test the BCM. Training recovery personnel and providing them with multiple skills can weigh significantly on the success of the plan and the time required to execute it. An awareness program should be used to initiate staff training efforts related to business continuity planning and included in employee orientation training and related materials.
- Successful execution of the BCM will largely depend on how well participants accept the importance of the plan, the credibility of the plan, and the degree and quality of the training provided.
- It is essential to provide training for all members of the planning team as well as other key staff. The BCM auditor may examine the training plan, types of training provided, training instructors and participants, content of the training, and training evaluation and results.
- BCM Testing – The plan should be thoroughly tested and evaluated on a regular basis (at least annually). Procedures to test the plan should be documented in a test plan. Testing and exercises provide the assurance that all necessary steps are included in the plan. The BCM auditor may examine the BCM policy statement for the testing responsibilities and requirements. In addition, the auditor may also review the test plan, the participants, and the documentation resulting from the test such as problem logs. Debriefing documentation could also be requested.
- BCM Maintenance – As systems change, the BCM must be updated to reflect those changes. The maintenance procedures should allow for a regular review of the plan by key personnel within the organization. The BCM auditor may examine maintenance logs, maintenance policies and procedures, maintenance roles and responsibilities, frequency of updates, and plan distribution and methods. Some organizations include BCM as part of their change management and control procedures.
Most Common BCM Weaknesses
Some common weaknesses of business continuity plans identified as a result of BCM audits are listed below:
- Often there may be a BCM plan but it may not contain a BCM policy statement.
- Organizations often have multiple types of plans without adequate integration. For example the emergency plan or the crisis management plan may not be properly coordinated with the BCM. This can result in confusion at the time the plan(s) need to be activated.
- Some organizations have developed comprehensive business continuity plans, but maintenance roles and responsibilities have not been clearly defined. This can result in the BCM quickly becoming outdated.
- There may be a lack of training and knowledge transfer of the BCM. This creates a significant reliance on a few individuals and can result in improper execution of the plan.
- Many organizations perform IT testing exercises but limited testing in other areas. This also can create problems if the plan needs to be activated.
- In some organizations, the IT professions develop the BIA and determine priorities without stakeholder involvement. Although IT professionals often have a good understanding of the business processes, a lack of stakeholder involvement can result in incorrect RPOs and RTOs.
- Many organizations do not include BCM in the change management process. This can result in the system being implemented without a recovery strategy.
- Some organizations have developed good recovery strategies but have not documented the procedures to support their strategies.
Road Map for BCM Audit Success
The following recommendations will help to ensure the success of the BCM planner in connection with an audit:
- Understand the scope of the audit and underlying standards
- Assure that all BCM documentation is up-to-date
- Assure that all phases of the BCM development process have been performed and documented
- Assure that there has been adequate training on the BCM and supporting documentation
- Assure that the plan has been exercised and debriefing documentation has been completed
- Work with (not against) the BCM auditor
- Obtain value from the BCM audit
Geoffrey Wold, CISA, CGEIT, CPA, CMA, CMC, CDP, CSP, CFSA, CIRM is a partner and the managing director at LBL Technology Partners. He provides a wide range of business continuity management consulting services and has written books on business continuity and security planning. Wold has consulted on hundreds of business continuity plans throughout the nation.